U.S. Customs and Border Protection (CBP) issued a new policy on border searches of electronic devices that's full of loopholes and vague language and that continues to allow agents to violate travelers’ constitutional rights. Although the new policy contains a few improvements over rules first published nine years ago, overall it doesn’t go nearly far enough to protect the privacy of innocent travelers or to recognize how exceptionally intrusive electronic device searches are.

Nothing announced in the policy changes the fact that these device searches are unconstitutional, and EFF will continue to fight for travelers’ rights in our border search lawsuit.

Below is a legal analysis of some of the key features of the new policy.

The New Policy Purports to Require Reasonable Suspicion for Forensic Searches, But Contains a Huge Loophole and Has Other Problems

CBP’s previous policy permitted agents to search a traveler’s electronic devices at the border without having to show that they suspect that person of any wrongdoing. The new policy creates a distinction between two different types of searches, “basic” and “advanced.” Basic searches are when agents manually search a device by tapping or mousing around a device to open applications or files. Advanced searches are when agents use other devices or software to conduct forensic analysis of the contents of a device.

The updated policy states that basic searches can continue to be conducted without suspicion, while advanced searches require border agents to have “reasonable suspicion of activity in violation of the laws enforced or administered by CBP.” [5.1.4]

This new policy dichotomy appears to be inspired by the U.S. Court of Appeals for the Ninth Circuit’s 2013 case U.S. v. Cotterman, which required reasonable suspicion for forensic searches. CBP’s new policy defines advanced searches as those where a border agent “connects external equipment, through a wired or wireless connection, to an electronic device not merely to gain access to the device, but to review, copy, and/or analyze its contents.”

First, this new rule has one huge loophole—border agents don’t need to have reasonable suspicion to conduct an advanced device search when “there is a national security concern.” This exception will surely swallow the rule, as “national security” can be construed exceedingly broadly and CBP has provided few standards for agents to follow. The new policy references individuals on terrorist watch lists, but then mentions unspecified “other articulable factors as appropriate.”

Second, as we argue in our lawsuit against CBP and its sister agencies (now called Alasaad v. Nielsen), the Constitution requires border agents to obtain a probable cause warrant before searching electronic devices given the unprecedented and significant privacy interests travelers have in their digital data. Only a reasonable suspicion standard for electronic device searches at the border, and no court oversight of those searches, is insufficient under the Fourth Amendment to protect personal privacy. Thus, the new policy is wrong to state that it goes “above and beyond prevailing constitutional and legal requirements.” [4]

Third, it is inappropriate to have a legal rule hinge on the flimsy distinction between “manual/basic” and “forensic/advanced” searches. As we’ve argued previously, while forensic searches can obtain deleted files, “manual” searches can be effectively just as intrusive as “forensic” searches given that the government obtains essentially the same information regardless of what search method is used: all the emails, text messages, contact lists, photos, videos, notes, calendar entries, to-do lists, and browsing histories found on mobile devices. And all this data collectively can reveal highly personal and sensitive information about travelers—their political beliefs, religious affiliations, health conditions, financial status, sex lives, and family details.

Fourth, this new rule broadly asserts that border agents need only “reasonable suspicion of activity in violation of the laws enforced or administered by CBP” before conducting an advanced search. We argue that the Constitution requires that agents’ suspicions be tied to data on the device—in other words, border agents must have a basis to believe that the device itself contains evidence of a violation of an immigration or customs law, not a general belief that the traveler has violated an immigration or customs law.

The New Policy Explicitly (and Wrongly) Requires Travelers to Unlock Their Devices at the Border

The new policy basically states that travelers must unlock or decrypt their electronic devices and/or provide their device passwords to border agents. Specifically: “Travelers are obligated to present electronic devices and the information contained therein in a condition that allows inspection of the device and its contents.” [5.3.1]

This is simply wrong—as we explained in our border guide (March 2017), travelers have a right to refuse to unlock, decrypt, or provide passwords to border agents. However, there may be consequences, such as travel delay, device confiscation, or even denial of entry for non-U.S. persons.

The new policy finally confirms that CBP agents must avoid accessing data stored in the cloud when they conduct device searches by placing devices in airplane mode or otherwise disabling network connectivity. [5.1.2] In April 2017, the agency said that border agents could only access data that is stored locally on the device. EFF filed a Freedom of Information Act (FOIA) request to get a copy of that policy and to learn precisely how agents avoided accessing data stored remotely.

CBP initially stonewalled our efforts to get answers via our FOIA request, redacting the portions of the policy that explained how border agents avoided searching cloud content. But after we successfully appealed and got more information released, and CBP Acting Commissioner Kevin McAleenan made additional public statements, we were able to learn that border agents were disabling network connectivity on the devices.

Frustratingly, CBP continued to claim that the specific methods border agents used to disable network connectivity—which we suspected was primarily toggling on airplane mode—were secret law enforcement techniques. The redacted document states:

To avoid retrieving or accessing information stored remotely and not otherwise present on the device, where available, steps such as [REDACTED] must be taken prior to search.

Prior to conducting the search of an electronic device, an officer will [REDACTED].

Those details should never have been redacted under FOIA. CBP apparently now agrees. Section 5.1.2 of the new policy states:

To avoid retrieving or accessing information stored remotely and not otherwise present on the device, Officers will either request that the traveler disable connectivity to any network (e.g., by placing the device in airplane mode), or, where warranted by national security, law enforcement, officer safety, or other operational considerations, Officers will themselves disable network connectivity.

It thus appears that the new policy contains much of the same information that CBP redacted in response to our FOIA request. The fact that such information is now public in CBP’s updated policy makes the agency’s initial stonewalling all the more unreasonable.

The new policy provides more robust procedures for data that is protected by the attorney-client privilege (the concept that communications between attorneys and their clients are secret) or that is attorney work product (materials prepared by or for lawyers, or for litigation). A “filter team” will be used to segregate protected material. [5.2.1.2]

Unfortunately, no new protections are provided for other types of sensitive information, such as confidential source or work product information carried by journalists, or medical records.

While we welcome the improvements in the new policy, it’s important to note that it only applies to CBP. U.S. Immigration and Customs Enforcement (ICE), which includes agents from Homeland Security Investigations (HSI), has not issued a comparable new policy. And often times ICE/HSI agents are the ones who conduct border searches, not CBP agents, so any enhanced privacy protections found in the new policy are wholly inapplicable to searches by these agents.

CBP Must Update Policy in Three Years

Finally, the new policy must be reviewed again by CBP in three years. This is important, given that much has changed in the nine years since the original policy was published in 2009, yet CBP never updated its policy to reflect changes in the law that occurred during that time.

The loopholes and failures of CBP’s new policy for border searches of electronic devices demonstrate that the government continues to flout Fourth Amendment rights at the border. We look forward to putting these flawed policies before a judge in our lawsuit Alasaad v. Nielsen.

Related Updates

by Sophia Cope, Amul Kalia, Seth Schoen, and Adam SchwartzDownload the report as a PDF.EXECUTIVE SUMMARYThe U.S. government reported a five-fold increase in the number of electronic media searches at the border in a single year, from 4,764 in 2015 to 23,877 in 2016....

“We are recommending that people think about their digital privacy at the border before, during, and after travel,” said Adam Schwartz, a senior staff attorney at the Electronic Frontier Foundation. That is especially good advice for journalists who may have sensitive information on their devices and in their social...

Watchdog groups that keep tabs on digital privacy rights are concerned that U.S. Customs and Border Patrol agents are searching the phones and other digital devices of international travelers at border checkpoints in U.S. airports. The American Civil Liberties Union and the Electronic Frontier Foundation both say they have noticed...

This week Sen. Wyden (D-OR) sent a letter to Department of Homeland Security (DHS) Secretary John Kelly stating that he will soon introduce legislation that would require law enforcement agencies to obtain a warrant before searching the data on digital devices at the border. We applaud Sen. Wyden for...

Can agents force you to unlock your phone or laptop? No. But they can ask you to comply voluntarily and make the experience rather uncomfortable if you resist. Travelers must decide how much trouble they’re willing to put up with.Travelers who are not citizens could have further problems, especially if...

Now more than ever, it is apparent that U.S. Customs and Border Protection (CBP) and its parent agency, the Department of Homeland Security (DHS), are embarking on a broad campaign to invade the digital lives of innocent individuals.
The new DHS secretary, John Kelly, told a congressional committee this week...

The Council on American-Islamic Relations (CAIR) recently filed complaints against U.S Customs and Border Protection (CBP) for, in part, demanding social media information from Muslim American citizens returning home from traveling abroad. According to CAIR, CBP accessed public posts by demanding social media handles, and potentially accessed private...